Security Auditing Overview

Published: February 29, 2012

Updated: August 15, 2012

Applies To: Windows 8, Windows Server 2012

This technical overview for the IT professional describes the security auditing features in Windows 8 and Windows Server 2012 and how your organization can benefit from using these technologies to enhance the security and manageability of your network.

Security auditing is a powerful tool to help maintain the security of an enterprise. Auditing can be used for a variety of purposes – forensic analysis, regulatory compliance, monitoring user activity, and troubleshooting. Industry regulations in various countries or regions require enterprises to implement a strict set of rules related to data security and privacy. Security audits can help implement such policies and prove that these policies have been implemented. Also, security auditing can be used for forensic analysis and help administrators detect anomalous behavior, identify and mitigate gaps in security policies, and deter irresponsible behavior by tracking critical user activities

You can use Windows security and system logs to record and store security events tracking key system and network activities associated with potentially harmful behaviors and to mitigate those risks. You can enable auditing based on categories of security events such as:

Changes to user account and resource permissions.

Failed attempts by users to log on.

Failed attempts to access resources.

Changes to system files.

In Windows Server 2008 R2 and Windows 7, the number of security audit policy settings was increased from nine to 53, and all auditing capabilities were integrated with Group Policy. This allows administrators to configure, deploy, and manage a wide range of settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). Windows Server 2008 R2 and Windows 7 made it easier for IT professionals to track when precisely defined, significant activities take place on the network. For more information, see Advanced Security Audit Policy Settings.

In Windows Server 2012, changes to security auditing have been introduced to:

Reduce the volume of audits. Windows Server 2012 enables you to target audit policies to specific files and users based on resource attributes and user and device claims.

Improve the manageability of audit policies. The introduction of Global Object Access Auditing in Windows Server 2008 R2 provided an effective means for enforcing application of security audit policy on resources. Combining Global Object Access Auditing with claims and Dynamic Access Control allows you to take this global enforcement mechanism and apply it to a more precise set of activities of potential interest.

Enable security auditing of removable storage devices. The growing popularity of removable storage devices makes their attempted use a significant security concern that needs to be monitored.

Dynamic claim-based auditing leads to more precise and easier-to-manage audit policies. It enables scenarios that until now were impossible or too difficult to configure. In addition to these improvements we have added new audit events and categories for tracking changes to Dynamic Access Control (DAC) policy elements, including:

Changes to resource attributes on files.

Changes to central access policies associated with files

User and device claims.

Changes to user and device claims and resource property definitions.

Changes to central access policy and central access rule definitions.

The following are examples of audit policies that administrators can author:

Anyone without a “High” security clearance who attempts to access documents classified as High Business Impact (HBI). For example, Audit | Everyone | All-Access | Resource.BusinessImpact=HBI AND User.SecurityClearance!=High.

Audit all vendors when they access documents related to projects that they are not working on. For example, Audit | Everyone | All-Access | User.EmploymentStatus=Vendor AND User.Project Not_AnyOf Resource.Project.

These policies help regulate the volume of audit events and limit them to only the most relevant data or users.

To provide a full view of events across the organization, Microsoft is working with partners to provide event collection and analysis tools, such as Microsoft System Center.

To use security auditing, you need to configure the system access control list (SACL) for an object, and apply the appropriate security audit policy to the user or computer. For more information, see Managing Security Auditing.